Healthcare SIG Webinar June 2016 - cdn.ymaws.com€¦ · Healthcare SIG Webinar June 2016 ....

Healthcare SIG Webinar June 2016

Healthcare Security: Assessing the Third Party Risk

This webinar is generously sponsored by:

Healthcare Security: Assessing Third Party Risk 2

Stephen Fitton

Information Security Officer - Clinicient, Inc.

Karen McMillen, CISSP

Security Analyst - Asante

Andrew Reeder, CISA, CISM, CISSP

Director, Privacy & Security – Rush University Medical

Center

Roy Wattanasin, CSSLP

Information Security Officer – MITM

Healthcare SIG Webinar Contributors


“A chain is no stronger than its weakest link, and life after all is a chain.” - William James


Third Party Risk Assessments (TPRA):

Some History

What is a TPRA?

Why So Important Now?

Where and When to Use Them

Examples/Types

How to Manage Them

Who Can Help

Discussion Points


Evolution of Healthcare Patient Care Model Focus from Acute Care to Continuum of Care

Electronic - Medical Record AND Medical Devices

Evidenced Based: Metrics and “Big Data” management

Individuals Rights: Use, Disclosure, and Access to Their Data

Associated Evolution of HIT model Wide Scope of Data Sharing - The data “supply chain”

Networked Medical Systems – and life- supporting medical devices

Very Large Stores of Sensitive Data

Emphasis on Privacy and Security

And HIT must Follow the Evolution of Global IT Commoditized - BYOD

Online, Collaborative – Outsourcing and Cloud Technology

Mobile – eMR on your iPhone

Virtualized – Telemedicine and “virtual hospitals”

Some Relevant History


For our purposes, a “third party” is an outside

entity with access or controls to Enterprise

systems and/or data and may provide a service

to an organization.

Examples include:

Business Associates AND other entities which provide

functions or activities for the organization

Business Partners

Contractors

Vendors

Cloud Services

Other Managed Service Providers (e.g., transcription services)

What is a “Third Party”?


A documented assessment of a third party’s

information security risk profile

Derived from one or more of the following: Security control documentation/checklists

Standardized Information Gathering (SIG)

Facility walkthrough Verification E.g. Contract Agreed Upon Procedures (AUP)

Staff Interviews

Security Testing website and system scan results

System configuration and log reports

External Audit Reports (SSAE 16, etc.)

What is a Third Party Risk

Assessment (TPRA)?

Third Party Risk 8

Regulatory Requirement - Risk Assessments OCR will investigate and can penalize cases of “willful Neglect”

Stakes are High 70% of reported breaches are from Business Associates

Patient dependence on systems - loss of availability risk

Increased Use and Dependency Upon TPs Cloud Migration and outsourcing

Response to paradigm shift: Infrastructure security model vs. data-centric security model

Business Associate agreements is usually not

specific enough for litigation A signed BAA does not protect Covered Entities and Business

Associates from liability.

BOTTOM LINE: TPRAs must be a key element of any

Security Program.

Why are TPRAs Important?


HIPAA Security Rule - Includes requirements for Administrative,

Technical, and Physical safeguards which are either Required or Addressable The conduct of a Risk Assessment is required and found under the Administrative Standards of “Security Management Process” (CFR 164.308 (a)(1)(i)) and “Evaluation” (CFR 164.308(a)(8))

HITECH Act/Omnibus Rule –Includes Privacy and Security Rule

compliance requirements for Business Associates contracted by a Covered Entity“ Meaningful Use” is the incentive program established under the American Recovery and

Reinvestment Act of 2009 and promotes the adoption of electronic health record technology Includes a requirement for the conduct of a Security Risk Analysis and to correct security deficiencies (CFR 164.308(1)(ii)(A)

Federal and State requirements - Typically don’t define HOW to conduct an

risk assessment; only that one be accomplished. A TPRA can be considered a best practice and should be part of ongoing risk assessment activities

Checking for the existence of Security Risk Assessment efforts is included in the audit program of the Office for Civil Rights

Regulatory Considerations


PCI 3.0 12.8.2 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. ISO Required for ISO 27001 Information Security Certification NIST SP 800-39 Managing Information Security Risk A key component of NIST compliance

Also – Industry Requirements Examples:


Lack of Consistent or Standard Templates,

Content & Methodology

Different Vulnerability and Control Types

According to Object of Review

Application – company hosted

Cloud Services - SaaS, PaaS and IaaS

Cloud Security Alliance - Cloud Control Matrix (CCM)

Medical Devices - MDS2

Manufacturer Disclosure Statement Medical Device Security form

Healthcare Services – e.g., Transcription Services

Mobile Device Controls

SSAE 16 and other third party risk assessments

The TPRA Conundrum


TPRA Support & Tools You Don’t Have to Create Your Own!

13

Well Known Framework Controls & Questionnaires: NIST, HITRUST, ISO, PCI

Shared Assessment Program (est. 2005): Standardized and objective vendor assessment methodology Member input and annual review of tools

International Computer Alliance Security (ISAC): In response to 1998 UK Data Protection Act (DPA). Categories of assessment according to third party type/size

CIS – Center for Information Security “Benchmarks” Platform specific security control baseline recommendations

GOOGLE – Scalable Vendor Security Reviews: VSAQ Framework

Vendor Shared Assessment Programs – Industry-specific offerings

Healthcare Security: Assessing Third Party Risk

TPRA Example 1 Cloud Security Alliance Cloud Controls Matrix

14

TPRA Example 2 Medical Device

15

TPRA Example 3 SharedAsessments.com - SIG

16 Healthcare Security: Assessing Third Party Risk

TPRA Example 4 Website Scan

17 Healthcare Security: Assessing Third Party Risk

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj8pLLI6ILNAhUY2WMKHXrnCegQjRwIBw&url=http://www.acunetix.com/support/docs/wvs/analyzing-scan-results/&psig=AFQjCNGJ9R1Bq0qfhIBPpKD3WUjqPEpKKA&ust=1464732616160250

Know where Your Third Parties Are Begin with your Contracts & Purchasing Departments

Network Scans help locate non-inventoried vendor systems

Begin with Education Executive

Enterprise Policies & Procedures

Targeted Departments (e.g., Purchasing, Legal, PMO)

Create Appropriate Business Processes/Work

Flows Capital Purchase Request notification to IT Security

Clinician Education of vendor security requirements

Develop or Purchase Tools Assessment templates (surveys, checklists)

GRC database/reporting

Obtain Sufficient Staffing to Support TPRA Part of Management Education Process

Vendor Support Becoming Available

Managing the TPRA Process


The Vendor Risk Management Maturity

Model (VRMMM)

• Three Components:

Program Definition, Execution and Management

• Five Levels of Proficiency/Maturity

• Provides a Good Roadmap for Improvement

• Provides a Good Management Reporting Tool

And what is your VRMMM rating?


Remember that all data has a lifecycle

Address destruction or return of data from Business Associates after the

contract ends

Ask your Business Associates how they perform

due diligence on securing THEIR Business Associates as well

“…an upstream entity will be in violation of the regulations if it “knows”’ of “a pattern of activity or practice” which “constitutes a material breach or violation” of the Business Associate Contract, and fails to either take “reasonable steps to cure the breach,” or terminates the contract. “

© 2013 John R. Christianson and the American Bar Association, The HITECH Business Associate Contract Bible: Provisions for Covered Entities, Business Associates and SubContractors,

Ask your Legal Department how your vendor contracts

address security requirements beyond the BA – e.g, is the contract void

if the vendor does not fulfill its security agreement?

Cyber Insurance Do your Executives expect cyber

Insurance to cover third party breaches? Will it?

Other Points to Consider


TPRA have become a key element of any Information

Security Program Lack of a TPRA program = risk

TPRA have grown out of the changes in Healthcare

Model, HIT and global IT trends.

TPRA are required for HIPAA compliance

TPRA management requires management education

and the development of internal and external business

process

TPRA best practices and standards are still evolving

Industry Support and third party security management

niche vendors are developing – but growing!

Pay Attention to What’s Going On. It’s important.

Summary



Guest Speaker & Panelist

Prevalent is a leader and industry visionary in third-party risk management and threat intelligence monitoring. They

have revolutionized the way organizations manage and monitor their 3rd and 4th party vendor relationships and they

recently introduced Prevalent Synapse – the first Unified third-party risk assessment, threat monitoring and

collaboration platform.

Jonathan is the CEO and Co-Founder of Prevalent. He has spoken on the need for third-party risk management at

the leading industry events including RSA, Shared Assessments Summit, ISACA, ISSA, Infragard, NYSE, and

others. Jonathan also helped develop the Risk Assessment Body of Knowledge (RABOK) as part of the development

of Shared Assessments efforts to develop the first of its kind certification for third-party risk professionals (CTPRP).

Jonathan is currently the Chair of the Shared Assessments Steering Committee, Former Chair of the Shared

Assessments SIG Committee, and sits on the Penn State Outreach Advisory Board.

Prior to working in the technology industry, Jonathan launched a highly successful, consumer products company

where he won several collegiate entrepreneurial awards. Jonathan is a graduate of Fairleigh Dickinson University,

received his MBA from The Pennsylvania State University, is a Certified Third-Party Risk Professional (CTPRP), and

a Certified Information Systems Security Professional (CISSP).

Jonathan Dambrot, CEO/Co-Founder Prevalent, Inc.

2016 Poneman Study - 3rd Party Risk Landscape


56% of respondents say they do NOT know

what IP and other high value "crown jewels" are in the hands of third parties

26% Only 26% of respondents say the process

they use to assess third party risk is effective.

56%

Poneman Institute. Tone at the Top and Third-Party Risk. April 2016

75% of respondents consider 3rd Party Risk

serious & increasing, while 70% say that 3rd Party Risk is

SIGNIFICANTLY INCREASING

A Unified Platform


The Synapse Approach


• Current methods focus on a one-to-one relationship model

• Synapse approach focuses on scale, automation, and leveraged content to build a third-party assessment ecosystem that continuously grows

Synapse Architecture


Synapse Use Cases


Enterprise Networks

• Example: PayPal - automate processes, reduce costs & scale to a large number of global vendors using the Synapse approach

Vertical Networks

• Example: Legal Vendor Network - top global law firms have standardized assessment & continuous monitoring using the Synapse approach

Service Provider Networks

• Example: Ellie Mae – enabling Ellie Mae vendors and partners to provide third and fourth-party visibility to clients

Vertical Network Example Healthcare network coming soon!


• What is Legal Vendor Network? • A membership-based program designed for law firms to

assess and monitor 3rd party vendors for security and data risk

• What are the Benefits? • Vendor Repository in Prevalent’s Vendor Risk Manager

• Scaled to assess vendors of all sizes; 2 person to 100,000 person vendors

• Mechanism to determine whether other firms use vendor

• Pre-Assessment to determine vendor importance and leveling

• Threat intelligence and network sharing available to all members

Service Provider Network: Ellie Mae


PANEL Q & A

Title of Presentation Goes Here 30

Healthcare SIG Webinar June 2016 - cdn.ymaws.com€¦ · Healthcare SIG Webinar June 2016 ....

Documents

Transcript of Healthcare SIG Webinar June 2016 - cdn.ymaws.com€¦ · Healthcare SIG Webinar June 2016 ....